﻿Vulnerability Accountability Levers and How You Can Use Them - Amélie Koran BSides NOVA 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)

Vulnerability Accountability Levers and How You Can Use Them
Amélie Koran@webjedi
BSidesNOVA 2018

With the advent of bug bounties and vulnerability equities process (VEP), issues have arisen in the informal communications and action channels within the Federal government to get agencies to identify and patch critical system and service flaws. Without strong leadership from the executive branch, agencies and researchers have left on their own to work the labyrinthian communication channels required to notify organizations about flaws, as well as ensuring they do get fix and some accountability can be expected.
This is where the Federal Inspector General system may provide a benefit. As chartered by the Inspector General’s Act of 1978, and further bolstered by the IG Empowerment Act of 2016, IG oversee the operations of their particular agencies, and in doing so, actively review the security and compliance of agencies to various laws and guidelines. In having this role they not only can hold agencies accountable, but are in a relatively interesting position where they know who to talk to within agencies but also can ensure patches and fixes are applied. In many cases, It also manages the hotlines and whistleblower programs within agencies, which exist both for employees, but also for the public. These can be leveraged as a communication channel for reporting vulnerabilities and other issues to agencies.

Amélie Koran

Amélie E. Koran serves as the Deputy Chief Information Officer for the U.S. Department of Health and Human Services, Office of the Inspector General. Amélie’s path to DHHS OIG took her the long way around, through multiple industry sectors, academia, and the public sector. Her professional experience includes time spent at The Walt Disney Company, Carnegie Mellon University CERT/CC, Mandiant, The World Bank, and The American Chemical Society. She began her time in the public sector as Lead Enterprise Security Architect for the U.S. Department of the Interior, eventually moving on to lead Continuous Diagnostics and Mitigation implementation for the U.S. Treasury Department. Amélie later spent time on a leadership development rotation as part of the President’s Management Council Fellowship serving the Federal CIO in supporting cybersecurity policy analysis and legislative review, where she took an active role in the government-wide Open Data Initiative and helped in giving “birth” to the United States Digital Service (USDS). She’s an ardent advocate for innovative approaches to hiring talent and rationally applying security strategies and technologies for the Federal Government space.